valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1631 from leegengyu/patch-5

Browse Source 
Update mordordatasets links
This commit is contained in:
Florian Roth 2021-07-06 10:45:15 +02:00 committed by GitHub
commit 8beb70e970
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/builtin/win_smb_file_creation_admin_shares.yml
View File

@ -9,7 +9,7 @@ tags:
- attack.t1021.002
references:
- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
- https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
logsource:
product: windows
service: security
@ -23,4 +23,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unknown
level: high
level: high

4
rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
View File

@ -9,7 +9,7 @@ tags:
- attack.collection
- attack.t1056.002
references:
- https://mordordatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
logsource:
@ -26,4 +26,4 @@ detection:
condition: selection
falsepositives:
- other legitimate processes loading those DLLs in your environment.
level: medium
level: medium

4
rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
View File

@ -8,7 +8,7 @@ tags:
- attack.defense_evasion
- attack.t1220
references:
- https://mordordatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
- https://twitter.com/dez_/status/986614411711442944
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
logsource:
@ -23,4 +23,4 @@ detection:
condition: selection
falsepositives:
- Apparently, wmic os get lastboottuptime loads vbscript.dll
level: high
level: high